CentOS/Redhat PHP updates break sessions with suPHP

Posted: 2013-12-12 12:50:14 by Alasdair Keyes

Direct Link | RSS feed


With the recent PHP update for Redhat/CentOS in the past few days, it's brought to light a problem I've seen before and always forget about.

When the PHP RPM is installed it updates the permissions on the PHP session directory back to the defaults...

# stat /var/lib/php/session | grep Uid
Access: (0770/drwxrwx---)  Uid: (    0/    root)   Gid: (   48/  apache)

Like many I run suPHP, so all my sites use different users to execute. This will break sessions for all sites on my server as only root/apache can write to that folder.

As a fix, I've updated the PHP session path to be a custom location and set permissions as 1777.

mkdir /var/lib/php/mynewsessionfolder
chmod 1777 /var/lib/php/mynewsessionfolder

Then create a file called /etc/php.d/customsession.ini with the text

session.save_path = /var/lib/php/mynewsessionfolder

The permissions 1777 means that the folder is world read/writeable but when a user creates a file it is created as 600 permissions so only they can read/write to it

# ls -l /var/lib/php/mynewsessionfolder
total 4
-rw------- 1 auser auser 377 Dec 12 12:45 sess_6pjpshqnr06egukas50s0mhjk6

Next time PHP updates it will reset permissions on the standard session folder, but won't affect you


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Noisili - Relaxing Noises

Posted: 2013-12-12 10:49:16 by Alasdair Keyes

Direct Link | RSS feed


I was forwarded this link today, it's a website that provides background and ambient noise such as rain, forest sounds, evem running water (although I'm not sure that will have a relaxing effect)

http://www.noisli.com/

My office is often quite noisy being in the same room as people on the phone all the time and sometimes listening to music is too distracting, this could be my new favourite site at work.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Cryptography Introduction

Posted: 2013-12-11 12:10:54 by Alasdair Keyes

Direct Link | RSS feed


Cryptography is one of the most important branches of maths in the modern age.

Almost everything that requires security/secrecy in our life relies on it. However the basics of it aren't well understood by many, even those who work with it daily, such as System Administrators.

Cryptography can get very complex and way beyond anyone who hasn't got a doctorate, however a basic grounding in some principles behind it is very useful (and interesting, if you're that way inclined)

I came across these videos whilst browsing Reddit which I would recommend to anyone that wants to learn more.

Public key (Or Asymmetric) Cryptography: Diffie-Hellman Key Exchange

Gambling with secrets (Cryptography)

RSA Encryption


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Elementary OS

Posted: 2013-08-22 12:56:53 by Alasdair Keyes

Direct Link | RSS feed


For the past 6 months or so I've been running Linux Mint 15 as my Desktop OS. It can be a little slow in it's operation, slight lag in response to mouseclicks etc. so I've been on the lookout for a new desktop distro when someone point out Elementary OS.

It's fairly new and based on Ubuntu 12.04 LTS. It's highly customized to look like OS X, while I'm not a huge fan of the OS X interface it does have some nice features.

I installed it on a VM for a quick play and the first thing I noticed was how fast it was. Everything seemed to open instantly.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

PHP Session Garbage Collecting - Not great for shared hosting (Repost)

Posted: 2013-04-02 12:28:47 by Alasdair Keyes

Direct Link | RSS feed


This is a repost of an old article that I transferred across from my previous blog. I've only just noticed that it was incomplete so I've completed it and reposted it

I look after a fair sized Linux shared hosting cluster (20,000+ websites) and to provide PHP session persistence between the servers in the cluster, PHP sessions are stored on an NFS share.

I noticed that a number of processes where running for a long time on the Apache servers. At first I thought this was due to loops or bad coding on behalf of the website owners, but it didn't seem to be restricted to any particular users.

After running strace on one of these processes I saw that the processes where getting permission denied trying to delete large numbers of PHP session files.

It turns out that PHP implements it's own internal garbage collection to get rid of old sessions, however, as we run SuPHP, the PHP processes only have permissions to delete their own session files (due to the use of Linux's sticky bit permissions), but that doesn't stop the process recursing through the sessions folder and trying to delete all old sessions.

With 20,000 websites, most of which run PHP CMS systems, this is quite a drain, compounded by the fact it's on an NFS share, which also adds overhead to each filesystem request.

The solution was to turn off garbage collection in PHP config. Create a config fragment file /etc/php.d/disable_session_gc.ini on the webhead and add the following content

; Disable auto session garbage collector
session.gc_probability = 0

Obviously I didn't want the sessions building up on our NFS filer, so I just set up a cronjob to call tmpwatch and delete old files once per day. I decided 7 days would be adequate.

/etc/cron.daily/clear_php_sessions.sh

/usr/sbin/tmpwatch 168 /exports/php/sessions


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Sprechen sie Deutsch?

Posted: 2013-02-06 23:13:46 by Alasdair Keyes

Direct Link | RSS feed


Nein :(

But I'm learning, in a break from my computer related antics, I've started learning German. I've always found myself fairly comfortable with maths and logic, but languages have always been beyond my grasp. My French has always been shady, I usually end up telling someone that their Grandmother uses a Rubik's cube in a manner other than intended. There's just no logic to languages.... I mean, how are you supposed to remember the difference between masculine and feminine nouns and which conjugation of verb to use, quite frankly, I have no idea what that is in English.

But then I heard about http://duolingo.com, it's a website that teaches you various languages from the beginning. It teaches very brief sentences and then asks you to translate, both to and from English and also allows you to speak it and grades your performance. New words are slowly introduced and I apparently know 29 words in German.... dies ist gut, ja?

Obviously you may wish to learn another language, but even after just a few days, spending 30 minutes in the evening I can start to speak some simple German sentences, I can't recommend it highly enough.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Stability vs. Security vs. Functionality

Posted: 2013-01-15 20:49:36 by Alasdair Keyes

Direct Link | RSS feed


In the world of GNU/Linux there are a number of well known Enterprise distributions and distributions that have gained a reputation for stability and reliability. Primarily, Red Hat Enterprise Linux boasts itself as the number one enterprise distribution and Debian also has a reputation among sys-admins for being rocksteady.

These distributions are reliable and stable, however that comes at a cost. Recent releases of software often have bugs and/or security flaws in them, which puts people off upgrading to them until the bugs have been worked out. It's this mantra that Debian and Redhat adopt to gain their reputation for reliability. Sadly, the recently released software also has all the latest security patches and new features.

This creates a trade off between running the latest software which is patched for all known bugs and has more functionality and running older software which is more reliable, but comes with less features and doesn't have the latest patches.

Of course, Redhat and other vendors do backport security patches when flaws are found, and Redhat have their Fedora project which is at the bleeding edge of software releases, but I think the days of large distributions running far out-dated software are coming to an end. Back porting patches in this manner is effective, but usually only done once a compromise has actually been exploited, rather than when the upstream software has fixed the bug, and the time difference between the two can be great. Debian has within the past few years started catching up with the latest upstream software and I think this is the right track.

Some of you may have already worked out that the recent Exim remote root exploit has triggered this post. More information can be found at http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/ and https://rhn.redhat.com/errata/RHSA-2010-0970.html.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Firewalls... there for a reason

Posted: 2013-01-15 20:49:36 by Alasdair Keyes

Direct Link | RSS feed


Everyone knows the necessity of firewalls on a modern computer systems, protecting all the way from the heavy iron down to your home PC, however I've noticed a strange trend in companies to just not bother with software firewalls at all.

I know most companies have many firewall appliances which restrict access to various parts of their network and combined with correct routing can lock down a network very tightly, however I always think it's paramount to run software firewalls on all your boxes.

No one designs their network to get attacked, however any network that has been in production for several years will have been changed, re-patched, ammended, VLANs updated, routes added, that temporary firewall rule exception you added to grant an entire subnet access on all ports just because you couldn't see why you were getting connection errors. It's only natural that in that time mistakes will get made, possibly giving a small opening to someone you don't want in your network, and with the plethora of complex network penetration/hacking scripts about, it only takes one script to go un-noticed for a couple of months, probing and prodding at your network and it could have found a way through your to some very sensitive parts of your infrastructure.

Software firewalls certainly shouldn't be your only protection, however I would consider them the first and last line of defense. For shared hosting web servers they are the first line of defense against a nasty binary that has been uploaded through an insecure PHP script. For internal and backend systems such as database servers they are the last line of defense when someone has managed to get through the rest of your network security and is one step away from brute forcing your MySQL logins.

One excuse that is given is that it adds undue load to a server, yes, to a degree this is correct, however if you've got a server that has so many hundreds of thousands of connections that a software firewall is bogging it down, you should really look at some kind of load-balancing so that you can spread that load over more hardware.

Having spent most of my career working in Shared Hosting environments, we actively open up our networks to potential compromise. Anyone can buy shared hosting for very little money and run pretty much any PHP/Ruby/Perl/Python script they wish, and with the advent of more and more Wordpress and Joomla exploits, it doesn't take long before you'll find some shady scripts attempting to be executed.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Desktop VMs with Virtualbox

Posted: 2013-01-15 20:49:36 by Alasdair Keyes

Direct Link | RSS feed


I've recently been doing some development of a cluster of machines, obviously virtualization is the way to go.

To this end I've been using Virtualbox a great deal. I'm not really a great fan of Oracle, either with their flagship DB,or with some of the decisions they've made surrounding MySQL since they acquired it from Sun. However along with their acquisition of Sun they got Virtualbox, and in my eyes it can do no wrong.

It's a very simple, lightweight hypervisor with good support for a range of guest OS's. I've not yet found one that won't install SuSE, CentOS, Redhat, CentOS 4/5/6, Ubuntu, Debian, Open Solaris, (I've not tried silly examples like Windows 95).


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Disks failing everywhere

Posted: 2013-01-15 20:49:36 by Alasdair Keyes

Direct Link | RSS feed


It must the the lovely "sunny" weather England is experiencing at the moment, I've had three hard disks fail on me today, one in my desktop and two in servers


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

IT Consultancy Services

I'm now available for IT consultancy and software development services - Cloudee LTD.



Happy user of Digital Ocean (Affiliate link)


Version:master-619e08f203


Validate HTML 5